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THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 



Claim Rejections - 35 USC § 103 



1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



2. Claims 1-40 are rejected under 35 U.S.C. 103(a) as being unpatentable over Vizcaino in view of 
Taylor and further in view of Berger et a/. , US Patents Nos 5.317.636 . 5.530.232 and 5.850.446 

respectively. 



Vizcaino discloses a method and apparatus for improving the security of credit card transactions 
involving " smart cards " equipped with a processor and storage memory , communicating with a verification 
computer via a digital network. When used, the cards produce a transaction verification number that is 
encrypted and then transmitted to the remote verification computer. The verification computer decrypts 
this number, retrieves the card owner's account information from its databases, computes a 
corresponding verification number, and compares the two numbers thus produced. If there's a match, the 
transaction is authorized and executed, and the card is updated with adjusted information (Abstract, 
Description, Figs 1-6). 

Tayior discloses a multi-application card system that enables and manages electronic 
transactions. The system uses smart cards or credit cards that are read by card readers at point-of-sale 
(POS) terminals (Fig 2-3); the customer's information, merchant information, and transaction specific data 
are transmitted via data link to a processing center where the data is authenticated and the transaction 
authorized and executed, customer and merchant accounts are debited/credited accordingly, confirmation 
and receipts are returned to the point-of-sale, and updated data gets written onto the smart cards' storage 
memory (Fig 4). 

Berger discloses a system for securing data transmissions within a payment system between 
computers operated by a buyer, merchant, and central processing authority ("payment gateway"). The 
payment gateway system evaluates a payment request and returns authorization of the payment to the 
merchant, after which the transaction is concluded, processed by the payment gateway, and customer 
and merchant's accounts are updated accordingly (Abstract; Fig 1-5). 



As per claims 1-2. 5-6 : 

Both Vizcaino (Fig 6, related description) and Tayior (Figs 2-4, related description) require that 
the customer's card forward unique customer information (Applicant's "unique client information") and 
transaction information (product or service requested) to the POS or card reader, for the purpose of 
further transmitting this data to an authorization/payment center. Both Vizcaino (Figs 2A-3, 6, related 
description; Col 5, lines 14-34) and Taylor (Col 6, lines 50-51) teach that this data may be encrypted by 
any convenient encryption method prior to transmission. 
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Berger (Figs 2-5, related description; Cols 13-16) describes how a "basic authorization request" 
(Fig 5A, Col 16, lines 2-15) consisting of customer information, merchandise/service information, and 
customer passwords/authentication data (i.e.PINs and/or customer master key), may be created between 
merchant and customer. This information is communicated by the customer to the merchant using 
cryptographic methods well known in the art (Col 14, line 52 - Col 15, line 1). Berger further describes 
how the merchant system then creates a "combined authorization request" (basic authorization request + 
merchant information/encryption keys/certificates) (Fig 4, related description), encrypts it, and hashes it to 
produce a "message digest" prior to transmitting this digest to an authorization/payment center (Col 15, 
line 65 - Col 1 6, line 41 ; Figs 4-5F). 

Vizcaino and Taylor teach that smart cards may be manufactured to store and interactively 
provide widely variable and unique customer data that can be provided to a merchant system for the 
purpose of authorizing and authenticating a transaction. Berger teaches a method similar to Applicant's 
for further securing said customer/transaction information combined with merchant information prior to 
transmission to an authorization/payment center. 

The above references disclose the limitations of claim 1 except for having the smart card itself 
combining all the required authorization data for a transaction, encrypting this data and hashing it, prior to 
transmitting the resulting "digest" to a merchant. However, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to implement this method of securing the data 
onto the smart card itself prior to transmission to the merchant's system, for the purpose of further 
insulating sensitive customer information from any unauthorized capture, in view of the processing 
capability already available on the card. It has been held that rearranging parts of an invention involves 
only routine skill in the art. In re Japikse, 86 USPQ 70. 

1. A method for securing a transaction ... used for transacting with a third party. 

2. The method recited in claim 1 ... hashing the unique requestor information. 

5. The method recited in claim 1 ...is performed by a smart card. 

6. The method recited in claim 1 ... retrieving the unique client information. 



As per claim 3 : 

Taylor discloses that transactions effected by a smart card may be paid from different 
customer accounts (i.e. Visa, Mastercard, Amex, etc.) (Fig 1). This would mean that the merchant 
would have to communicate to the smart card which among those credit card issuers the merchant 
has a corresponding account with, causing the smart card to access the proper master key for that 
particular credit card issuer. 

3. The method recited in claim 1 ... used to access the master key. 



As per claims 4. 7-11 : 

Vizcaino discloses the use of a unique transaction number (Fig 2A, related description) in 
creating an authorization request. Vizcaino also discloses that such unique transaction number may 
be one of a plurality (or a range) of numbers provided to the client by the authorizing party. 

4. The method recited in claim ...to the client by the third party. 

7. The method recited in claim 1 ... a purchase initiated by the client. 

8. A method for securing a ... client information to the requestor. 

9. The method recited in claim 8 ...to the client by the credit card issuer. 

10. The method recited in claim 8 ... passing the information to the merchant. 
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11. A method for securing a transaction ...to a credit card issuer. 



As per claims 12-30. 32-40 : 

All three references cited feature authorizing/payment processing centers where each 
transaction is sent for authorization, capture, and where merchant and customer accounts will be 
updated. Once authorization is obtained, it is communicated back to the merchant's system, so that the 
transaction maybe completed, receipts printed, and/or customer card updated electronically. Vizcaino 
uses a comparison between a unique transaction number generated by the customer's card and a 
corresponding number generated by the authorizing center to determine authorization (Fig 6, related 
description). Berger provides detailed descriptions on various methods for said authorization, 
processing, and confirmation (Figs 6-12, related description). It would have been obvious to one 
ordinarily skilled in the art at the time the invention was made to combine the features described in the 
cited references to create a system meeting all the limitations of the claims listed below. This would 
have been done to provide a secure, reliable, and effective payment system utilizing credit, debit, and 
smart cards, usable at merchant POS terminals as well as on a network such as the Internet. 

12. The method recited in claim 11 ... receiving a response from the credit card issuer. 

13. A method for securing ... with the digest from the requestor. 

14. The method recited in claim ... the unique requestor information. 

15. The method recited in claim 13 ... by the third party. 

16. The method recited in claim 15 ... number contained in the unique client information. 

17. The method recited in claim 13 ...performed by a smart card. 

18. The method recited in claim 13 ...accessing the master key. 

19. The method recited in claim 13 ...purchase initiated by the client. 

20. A method for securing a transaction ... authorization digest with the billing digest 

21. A method for securing a transaction ... and the master key. 

22. A smart card for conducting ... account information to a requestor. 

23. A system for conducting secure transactions ... with a third party. 

25. The system recited in claim 24 ... unique requestor information. 

26. The system recited in claim 24 ...access the master key. 

27. The system recited in claim 24 ...to the client by the third party. 

28. The system recited in claim 24 ...performed by a smart card. 

29. The system recited in claim 24 ... the unique client information. 

30. The system recited in claim 24 ... transaction initiated by the client. 

32. A system for securing a transaction ... digest from the requestor. 

33. The system recited in claim 32 ... hashing the unique requestor information. 

34. The system recited in claim 32 ... by the third party. 

35. The system recited in claim ...the unique client information. 

36. The system recited in claim 32 ... performed by a smart card. 

37. The system recited in claim 32 ... prior accessing the master key. 

38. The system recited in claim 32 ... initiated by the client. 

39. A computer program product ...for transacting with a third party. 

40. A computer program product ... information to the requestor. 



As per claim 31 : 

Taylor discloses that biometric identifiers (voice, fingerprint, photo) may be 
incorporated on smart cards to further authenticate and authorize legitimate users of said 
cards (Fig 4, related description). It would have been obvious to one ordinarily skilled in the art 
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to have added this feature to any embodiment of a payment system based on said cards 
should the need present itself for this level of security. 

31. The system recited in claim 24 ... of a client's fingerprint. 



Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to David Q Le whose telephone number is 703-305-4567. The examiner can normally be 
reached on 8:30am-5: 30pm Mo-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
James P Trammel! can be reached on 703-305-9768. The fax phone numbers for the organization where 
this application or proceeding is assigned are 703-305-7687 for regular communications and 703-305- 
7687 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding should be 
directed to the receptionist whose telephone number is 703-308-1 113. 



Conclusion 



DQL 

October 17, 2002 




